webbrowser module + urls ending in .py = a security hole?

Peter Hansen peter at engcorp.com
Mon Jan 30 12:53:13 CET 2006


Blair P. Houghton wrote:
> I was messing around with the webbrowser module and decided it was
> pretty cool to have the browser open a URL from within a python script,
> so I wrote a short script to open a local file the same way, using the
> script file as an example target:
> 
> # browser-test.py
> import webbrowser
> import sys
> pathname = sys.argv[0]
> protocol = 'file://'
> url = protocol + pathname
> webbrowser.open(url)
> 
> And what I got, instead of a browser window with the text of my script,
> was a sequence of DOS windows popping up and disappearing.
> 
> Apparently that's because either Windows (XP SP2) or the browser
> (Firefox) was interpreting the .py file extension and running Python to
> execute it.
> 
> So is this a known (mis)feature, and will it happen if I chance to use
> webbrowser.open() on a remote .py file?

What happens when you load a remote .py file using the web browser 
directly?  With Firefox on my machine, it just displays the file, as 
expected, whether loaded via webbrowser.open() or not.  Make sure you're 
testing with the same browser that webbrowser loads (try a regular HTML 
file first if you're not sure which that is).

> Because if so, it's a king-hell security hole.

It might probably worth a warning in the docs, but it's no larger a 
security hole than the browser itself already has.  If your browser is 
configured to load files of a given type directly into a particular 
application without first checking with you if you want it to do so, 
you're potentially screwed already.

But is Firefox really your default browser?  The webbrowser module could 
be loading Internet Explorer on your machine, and we all know just how 
safe *that* is...

-Peter




More information about the Python-list mailing list